How to build a cloud security operations center
By Dave Shackleford
To better protect workloads and data in the cloud, security operations centers collaborate with various IT teams. Learn how to cloud-enable your organization’s SOC. As more organizations deploy critical workloads and data into the cloud, an increasing number of attacks are focused on these environments. The nature of today’s security operations center must change to reflect the widespread transition to cloud.
As more organizations deploy critical workloads and data into the cloud, an increasing number of attacks are focused on these environments. The nature of today’s security operations center must change to reflect the widespread transition to cloud.
Several distinct challenges can make cloud incident detection and response difficult, including the following:
- Lack of skills in cloud technologies. Many security operations analysts and incident responders have not had the time nor capacity to learn about cloud environments and technologies.
- Vendor incompatibility. Some commonly used security operations tools and services may be less functional or incompatible in cloud service provider environments.
- Lack of cloud visibility. Many organizations lack deep insight and introspection into the current assets and operations within their cloud deployments, making security operations more challenging.
- Ephemeral workloads. Many workloads in the cloud, such as containers, only exist for a short time, making response and root cause analysis difficult or impossible.
Security operations center (SOC) teams must adapt to cloud environments. Some governance changes will likely happen organically when the cloud starts to become more prevalent in the organization. Traditional risk teams need to integrate with vendor management and procurement teams. The cloud security operations center also needs to align with risk teams to understand which cloud environments are in use and which are planned for the future. If a cloud SOC team is unaware of where assets are running or what applications are in use, it is unable to identify attacks or incidents.
Cloud security operations center teams also must collaborate with various areas of IT. Organizations no longer have everything compartmentalized in a single data center or set of data centers. The SOC team needs to work with the cloud engineering team — if the organization has one — to better understand the cloud providers the organization is working with, as well as the specific services and assets deployed. Cloud SOC teams should use this information to optimize their own activities and integrate with DevOps teams, which will involve opportunities for automation and discovering what pipeline tools are in use.
How to build an effective cloud security operations center team
Cloud security operations center teams should perform the following actions upfront to cloud-enable the SOC and its response functions:
- Establish a separate cloud account or subscription entirely under their control.
- Create least privilege accounts to perform specific actions in the cloud when needed, and define account roles — ideally for cross-account access.
- Implement multifactor authentication for all accounts.
- Enable write-once storage for logs and evidence, a best practice even if evidence is not currently stored in the cloud. For example, in AWS, cloud SOC teams can use S3 bucket versioning for secure retention and recovery.
Cloud security operations center logging best practices
Organizations should enable logging and event aggregation for any major IaaS cloud. Core logging architecture involves three distinct functions:
1.Enabling a core API logging source. These include CloudTrail for AWS, Activity Log for Azure, and Operations — formerly Stackdriver — for Google Cloud Platform (GCP).
2.Integrating log ingestion and processing services. Some services can direct logs straight from storage. Most cloud logging is best accomplished by passing logs into an intermediary service for connectivity and ingestion, like Amazon CloudWatch, Azure Monitor or GCP Cloud Logging.
3.Exporting logs for processing or integration with other services. Once logs are processed and handed off to other services, choose the most appropriate connector model. For SIEM export, this will usually be API-driven. For in-cloud log handling and response, this will usually be handled by event processing and integration with serverless and other tools.
Each cloud provider has its own specific options and differences, of course. Azure users can directly integrate from Azure Monitor into Microsoft’s native SIEM, Azure Sentinel. AWS users can integrate third-party connector apps from leading providers, such as Splunk and other SIEM tools, for ingestion from CloudTrail S3 buckets or to stream into a service, such as Kinesis, for ingestion.
Pay attention to the types of logs and events of interest to the cloud security operations center team and to the organization. Unfortunately, there are no shortcuts around this. Cloud SOC and monitoring teams will need to familiarize themselves with these tools and events. Working closely with DevOps and cloud engineering teams can also help cloud security operations analysts understand expected cloud-related events and behaviors in the cloud. These may include autoscaling events, such as new workloads being created and destroyed; automated service accounts and identity interactions; and rapid changes to deployments and even architecture.
To build cloud-oriented detection and response workflows, SOC teams must enable accounts for gaining hands-on experience and storing any potential evidence for investigations. Additionally, they must enable cloud logging and event forwarding and understand how various cloud assets and infrastructure operate. In many cases, this might also require new tools and services, such as cloud-native and cloud-aware endpoint security agents, cloud-oriented SIEM — such as Azure Sentinel or Sumo Logic — and new investigation and forensics tools.